<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 9/1/15 1:10 AM, 慕冬亮 wrote:<br>
</div>
<blockquote
cite="mid:CAD-N9QU-_7XSYybmjWnrQW24VbNA6aSSsG6aKhf0k+xNe0+73w@mail.gmail.com"
type="cite">
<meta http-equiv="Context-Type" content="text/html; charset=UTF-8">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">2015-09-01 11:38 GMT+08:00 John
Criswell <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:jtcriswel@gmail.com" target="_blank">jtcriswel@gmail.com</a>></span>:<br>
<blockquote class="gmail_quote">
<div><span>
<div>On 8/31/15 10:43 PM, 慕冬亮 via llvm-dev wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I want to create an experiment to
show the effectiveness of cfi :
<div>For example , </div>
<div>I first need a program with vulnerability so
that we can hijack its control flow;</div>
<div><br>
</div>
<div>then I enforce cfi of llvm and we can't
hijack its control flow.</div>
<div><br>
</div>
<div>Do you have any advice for me?</div>
</div>
</blockquote>
<br>
</span> The CFI implementation we updated to work with
x86-64 for the KCoFI project is available at <a
moz-do-not-send="true"
href="https://github.com/jtcriswell/SVA"
target="_blank"><a class="moz-txt-link-freetext" href="https://github.com/jtcriswell/SVA">https://github.com/jtcriswell/SVA</a></a>.
You'll need to create the exploit code (and potentially
the vulnerability) yourself. If you read the literature
on CFI and memory safety (some of which is cataloged at
<a moz-do-not-send="true"
href="http://sva.cs.illinois.edu/menagerie"
target="_blank">http://sva.cs.illinois.edu/menagerie</a>),
you should be able to find programs and vulnerabilities
that have been used in such experiments.<br>
<br>
</div>
</blockquote>
<div>I think there are lots of program fragment in the
literature. Is there any complete program to show that cfi
can protect control flow? </div>
<div>It's just a basic theory display, not academic paper!</div>
</div>
</div>
</div>
</blockquote>
<br>
I'm pretty sure that some of the academic papers try out CFI on real
vulnerabilities in real programs. You will simply need to read
through them to figure out what exploits they tried and on which
programs they tried them.<br>
<br>
For example, the Out-of-Control paper from the 2014 IEEE Security
and Privacy Symposium shows how to do an attack against a CFI
system. If I recall correctly, they do a real exploit on a real
program. The same is true for the "Hacking in the Blind" paper from
the same conference.<br>
<br>
Something else you might want to check out is Code Pointer
Integrity. The source code is publicly available, and it's built
using LLVM. The paper was in OSDI 2014 and most likely contains a
URL for getting the source code. Code Pointer Integrity is, in a
way, CFI on steroids.<br>
<br>
<blockquote
cite="mid:CAD-N9QU-_7XSYybmjWnrQW24VbNA6aSSsG6aKhf0k+xNe0+73w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote">
<div> That said, doing an experiment will not show that
CFI is effective; it will only show that CFI stops that
one particular attack that you are demonstrating. While
this was done in past research papers, it was only done
because it was one of the few methods of evaluating CFI
available. More recent work is showing the deficiencies
of evaluating CFI in this way (in a nutshell, simple CFI
defenses can be thwarted).<br>
<br>
Determining how to measure the effectiveness of defenses
against code-reuse attacks (such as Return-Oriented
programming, Return to Libc attacks, and Non-Control
data attacks) </div>
</blockquote>
<div>I don't think Non-Control data attacks is a kind of
code-reuse attack. It is better to call it Data-Oriented
attacks.</div>
</div>
</div>
</div>
</blockquote>
<br>
Actually, it is, though it may not be obvious. A non-control data
attack changes the data on which instructions compute without
injecting new instructions or modifying the control data.
Therefore, the attack is reusing the existing code but feeding that
code corrupted data as input. Ergo, non-control data attacks are
code reuse attacks.<br>
<br>
<blockquote
cite="mid:CAD-N9QU-_7XSYybmjWnrQW24VbNA6aSSsG6aKhf0k+xNe0+73w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote">
<div>is an active area of research. My students and I are
working to devise methods of evaluating defenses, but as
the work is in its very early stages, that's all I can
say about it at present.<br>
<br>
</div>
</blockquote>
<div>This is an interesting topic I think. </div>
<div>Thank you for your reply. <br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Thank you.<br>
<br>
Regards,<br>
<br>
John Criswell <br>
<br>
<pre class="moz-signature" cols="72">--
John Criswell
Assistant Professor
Department of Computer Science, University of Rochester
<a class="moz-txt-link-freetext" href="http://www.cs.rochester.edu/u/criswell">http://www.cs.rochester.edu/u/criswell</a></pre>
</body>
</html>